A direct look at the principles of PHP serialization and deserialization

0. Preface

The serialization and deserialization functions of objects will not be described in detail. Serialization in php The result is a PHP-customized string format, somewhat similar to json.

We need to solve several problems when designing the serialization and deserialization of objects in any language

After an object is serialized, the serialization result has a self-describing function (knowing the specific type of the object from the serialization result,

knowing the type is not enough, of course you also need to know the type The corresponding specific value).

Permission control during serialization, you can customize the serialization fields, etc., for example, it is very convenient to do it in golang.

Time performance issues: In some performance-sensitive scenarios, object serialization cannot hold back, such as: high-performance services (I often use protobuf for serialization).

Space performance issues: Serialization The subsequent result cannot be too long. For example, if an int object is in memory and the data length becomes 10 times the length of int after serialization, then there is a problem with the serialization algorithm.

This article only starts from Explain the process of serialization and deserialization in PHP from the perspective of PHP code. Remember that serialization and deserialization only operate on object data. This should be easy to understand for anyone with experience in object-oriented development.

Related learning recommendations: PHP programming from entry to proficiency

1. Serialize and deserialize methods unserialize

php natively provides object serialization function, unlike c...^_^. It is also very simple to use, just two interfaces.

class fobnn
{
 public $hack_id;
 private $hack_name;
 public function __construct($name,$id)
 {
  $this->hack_name = $name;
  $this->hack_id = $id;
 }
 public function print()
 {
  echo $this->hack_name.PHP_EOL;
 }
}
$obj = new fobnn('fobnn',1);
$obj->print();
$serializedstr = serialize($obj); //通过serialize接口序列化
echo $serializedstr.PHP_EOL;;
$toobj = unserialize($serializedstr);//通过unserialize反序列化
$toobj->print();

fobnn
O:5:"fobnn":2:{s:7:"hack_id";i:1;s:16:"fobnnhack_name";s:5:"fobnn";}
fobnn

See the output of the second line , this string is the result of serialization. This structure is actually easy to understand. It can be found that it is mapped through object name/member name. Of course, the tag names after serialization of members with different access rights are slightly different.

Based on the three questions I mentioned above, we can take a look

1. Self-describing function

O:5:"fobnn":2 where o represents Object type, and the type name is fobnn. In this format, the following 2 indicates that there are two member objects.

Regarding the member objects, it is actually the same set of sub-descriptions. This is a recursive definition.

The self-describing function is mainly implemented by recording the names of objects and members through strings.

2. Performance issues

The time performance of PHP serialization will not be analyzed in this article. See below for details, but the serialization result is actually similar to the protocol defined by json/bson. There is a protocol header. The protocol header describes the type, and the protocol body describes the value corresponding to the type. The serialization result will not be compressed.

2. Magic method in deserialization

corresponds to the second problem mentioned above. In fact, there is also a solution in PHP, one is through the magic method , the second is a custom serialization function. Let’s first introduce the magic methods __sleep and __wakeup

class fobnn
{
 public $hack_id;
 private $hack_name;
 public function __construct($name,$id)
 {
  $this->hack_name = $name;
  $this->hack_id = $id;
 }
 public function print()
 {
  echo $this->hack_name.PHP_EOL;
 }
 public function __sleep()
 {
  return array("hack_name");
 }
 public function __wakeup()
 {
  $this->hack_name = 'haha';
 }
}
$obj = new fobnn('fobnn',1);
$obj->print();
$serializedstr = serialize($obj);
echo $serializedstr.PHP_EOL;;
$toobj = unserialize($serializedstr);
$toobj->print();

fobnn
O:5:"fobnn":1:{s:16:"fobnnhack_name";s:5:"fobnn";}
haha

before serialization, __sleep will be called first and return an array of member names that need to be serialized. , through this we can control the data that needs to be serialized. In the case, I only returned hack_name. You can see that only the hack_name member is serialized in the result.

After the serialization is completed , will jump to __wakeupHere we can do some follow-up work, such as reconnecting to the database.

3. Customize the Serializable interface

interface Serializable {
abstract public string serialize ( void )
abstract public void unserialize ( string $serialized )
}

Through this interface we can customize the behavior of serialization and deserialization. This function can mainly be used to customize our serialization format.

class fobnn implements Serializable
{
 public $hack_id;
 private $hack_name;
 public function __construct($name,$id)
 {
  $this->hack_name = $name;
  $this->hack_id = $id;
 }
 public function print()
 {
  echo $this->hack_name.PHP_EOL;
 }

 public function __sleep()
 {
  return array('hack_name');
 }

 public function __wakeup()
 {
  $this->hack_name = 'haha';
 }

 public function serialize()
 {
  return json_encode(array('id' => $this->hack_id ,'name'=>$this->hack_name ));
 }

 public function unserialize($var)
 {
  $array = json_decode($var,true);
  $this->hack_name = $array['name'];
  $this->hack_id = $array['id'];
 }
}
$obj = new fobnn('fobnn',1);
$obj->print();
$serializedstr = serialize($obj);
echo $serializedstr.PHP_EOL;;
$toobj = unserialize($serializedstr);
$toobj->print();

fobnn
C:5:"fobnn":23:{{"id":1,"name":"fobnn"}}
fobnn

After using the custom serialization interface, we The magic method is useless.

4.PHP dynamic type and PHP deserialization

Since the self-describing function mentioned above, then The type of object is saved in the serialization result, and php is a dynamically typed language, so we can do a simple experiment.

class fobnn
{
 public $hack_id;
 public $hack_name;
 public function __construct($name,$id)
 {
  $this->hack_name = $name;
  $this->hack_id = $id;
 }
 public function print()
 {
  var_dump($this->hack_name);
 }
}
$obj = new fobnn('fobnn',1);
$obj->print();
$serializedstr = serialize($obj);
echo $serializedstr.PHP_EOL;;
$toobj = unserialize($serializedstr);
$toobj->print();
$toobj2 = unserialize("O:5:\"fobnn\":2:{s:7:\"hack_id\";i:1;s:9:\"hack_name\";i:12345;}");
$toobj2->print();

We modify hack_nameThe deserialization result is int type, i:12345

string(5) "fobnn"
O:5:"fobnn":2:{s:7:"hack_id";i:1;s:9:"hack_name";s:5:"fobnn";}
string(5) "fobnn"
int(12345)

It can be found that the object was successfully serialized back! And it can work normally!. Of course, this mechanism of PHP provides flexible and changeable syntax, but Security risks are also introduced. We will continue to analyze the security issues caused by PHP serialization and deserialization features.

The above is the detailed content of A direct look at the principles of PHP serialization and deserialization. For more information, please follow other related articles on the PHP Chinese website!